# Checkmarx MCP for AI Agents MCP

> Checkmarx lets you manage your application security posture directly through natural language commands. Trigger scans on codebases, analyze complex infrastructure flaws (KICS), pinpoint exact lines of vulnerable code, and calculate the optimal fix location—all without leaving your current chat window.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** appsec, sast, sca, code-scanning, cybersecurity, devsecops

## Description

Security scanning used to be a dashboard nightmare. You’d spend hours toggling between reports, manually cross-referencing vulnerability severity with specific files, just to figure out where to patch things. This MCP changes that. Instead of navigating complex cyber dashboards, you talk to your agent and it handles the heavy lifting for Checkmarx One.

Need to check if a new deployment breaks security standards? You can ask it to trigger scans across specific projects or even list all containers in an application group. It’ll give you status updates and results so you know exactly where you stand. If you're worried about misconfigurations in your IaC, the agent pulls specialized metrics from Terraform, Dockerfiles, and Kubernetes YAML. The best part is that when it finds a flaw, it doesn't just tell you *that* there's a bug; it calculates the precise spot in your code where the patch needs to go. If this sounds too powerful for one tool, remember that Vinkius hosts thousands of MCPs, giving your agent access to every system you use.

## Tools

### cancel_scan
Stops an active Checkmarx scan job immediately, preventing unnecessary resource usage if the code context changes.

### get_project
Retrieves specific metadata for a designated Checkmarx project to ensure you are working with the correct codebase context.

### get_kics_results
Pulls specialized findings that focus only on misconfigurations within Infrastructure as Code (IaC) files like Dockerfiles and Kubernetes YAML.

### list_applications
Lists all defined Checkmarx One Applications, providing visibility into aggregated security risk across multiple microservices or projects.

### list_bfl
Calculates and returns the Best Fix Location (BFL) by referencing a specific vulnerability rule ID and scan ID.

### list_projects
Provides an inventory of all available Checkmarx One Projects, along with their metadata and linked applications.

### list_scans
Lists all historical or active scans for a project, showing the status, targeted branch, and timestamps to help you track job history.

### run_scan
Triggers a new Checkmarx One code scan, commonly used in CI/CD pipelines to enforce security quality on pull requests.

### get_scan_details
Checks the precise status and configuration of a specific scan, detailing which engines (SAST, SCA, KICS) were run and their timing.

### get_scan_results
Downloads SAST findings for a completed scan, providing vulnerability severity, state, description, and the exact lines of code affected.

## Prompt Examples

**Prompt:** 
```
What are the most critical vulnerabilities found in my API service?
```

**Response:** 
```
**Security Findings Summary**

| Severity | Count | CWE Code |
| :---: | :---: | :---: |
| Critical | 2 | CWE-89 (SQL Injection) |
| High | 3 | CWE-79 (XSS) |

*Details:* The two critical flaws are in `/api/users.js` at line 142 and `/auth/login.ts` at line 87. Use the BFL tool to find the perfect patch for each.
```

**Prompt:** 
```
Check my new deployment files for security issues.
```

**Response:** 
```
*KICS Report: Infrastructure Flaws*

Found 1 misconfiguration in `docker-compose.yml`:
* **Issue:** Exposed internal database port (Port 5432).
* **Line:** L7.
* **Recommendation:** Change the exposed network ports to private and use a service mesh for communication. This prevents external access.
```

**Prompt:** 
```
I'm worried about old vulnerabilities in the project.
```

**Response:** 
```
*Project: WebPortal v2*

**Scan Status:** Completed (ID #4521)
* **Total Vulnerabilities:** 12
* **Breakdown:** Critical: 2, High: 3, Medium: 7.

I recommend starting with the two critical SQL Injections. I can run a BFL analysis to give you the exact fix path for those immediately.
```

## Capabilities

### Scan Codebases and Projects
Get metadata listing all available Checkmarx projects or trigger a new SAST scan on your current codebase.

### Analyze Infrastructure-as-Code (KICS)
Focus solely on identifying misconfigurations within specific IaC files like Terraform, Kubernetes YAML, and Dockerfiles.

### Retrieve Vulnerability Details
Fetch detailed reports containing vulnerability severity, status, and the exact line of code where a flaw was detected.

### Pinpoint Fix Locations (BFL)
Calculate the mathematically optimal spot in your application's execution path to apply a patch that fully resolves a specific security vulnerability.

### Manage Scan Status
Check the current status, configuration, and timing of any running or historical Checkmarx scan.

## Use Cases

### Reviewing a Merged Pull Request
A developer asks their agent to run a scan on the current project branch and, upon completion, immediately list all critical vulnerabilities. The agent uses `run_scan` followed by `get_scan_results`, summarizing the top 5 issues right in the chat for rapid sign-off.

### Auditing Cloud Infrastructure Setup
A platform engineer needs to verify a new Kubernetes deployment. They ask the agent to check the specialized IaC metrics, and the MCP uses `get_kics_results` to isolate misconfigurations in the YAML before they hit production.

### Finding the Quickest Code Patch
A security engineer identifies an old XSS vulnerability. Instead of manually tracing the flaw, they ask the agent for the Best Fix Location (BFL). The MCP uses `list_bfl` and returns the exact line number and function call to fix it.

### Checking Application Coverage
A manager needs a full view of all microservices under one product umbrella. They ask for an overview, and the agent uses `list_applications` to provide a risk summary across the entire logical product line.

## Benefits

- Stop manual vulnerability triage. Instead of opening dozens of reports, you simply ask the agent to analyze core datasets of severe flaws and pinpoint them automatically.
- Eliminate context switching. You manage everything—from listing applications with `list_applications` to checking specific project details with `get_project`—without ever leaving your chat interface.
- Get surgical remediation advice. The Best Fix Location (BFL) tool calculates the exact optimal spot in your code for a patch, saving hours of guesswork for developers.
- Master IaC security checks. Use `get_kics_results` to focus only on misconfigurations inside Terraform or Kubernetes YAML files, ignoring standard source code flaws when necessary.
- Control your pipeline flow. You can trigger new scans with `run_scan`, check the status with `list_scans`, and even cancel redundant jobs using `cancel_scan`—all via natural language.

## How It Works

The bottom line is that your AI client becomes a natural interface to complex security infrastructure, turning technical dashboards into simple conversation prompts.

1. First, connect your AI client using a JWT token to authenticate with your enterprise Checkmarx One environment.
2. Next, ask the agent to perform a specific security action, like running a scan on a project or listing applications. The agent executes the necessary API call and retrieves raw data.
3. Finally, you prompt the agent again, telling it what insight you need—for instance, 'What's the best fix location for this XSS vulnerability?' The MCP processes the data and delivers the actionable answer.

## Frequently Asked Questions

**How does Checkmarx MCP help me manage my application security findings?**
It lets your AI agent analyze complex vulnerability reports through natural conversation. Instead of manually navigating dashboards, you ask it to pull core datasets of flaws and get immediate summaries.

**Can I use Checkmarx MCP for cloud infrastructure checks?**
Yes, the MCP includes tools that focus specifically on Infrastructure as Code (IaC). It reads specialized metrics from Terraform, Kubernetes YAML, and Dockerfiles to find misconfigurations.

**What if I need a specific patch location for code flaw?**
You can ask the agent to calculate the Best Fix Location (BFL) for any vulnerability. It tells you the exact optimal spot in your application's code where the patch needs to be applied.

**Does Checkmarx MCP help me with continuous integration?**
Absolutely. You can use it to trigger new scans automatically when a pull request is opened, ensuring that security quality is checked continuously throughout your CI/CD pipeline.

**What kind of projects can I list and analyze with this MCP?**
The tool lets you inventory all available Checkmarx Projects and Applications. This gives you a complete overview, allowing you to check security metrics across multiple related microservices or products.